b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                      Improvements Are Needed to Ensure\n                     Timely Resumption of Critical Business\n                        Processes After an Emergency\n\n\n\n                                      September 24, 2013\n\n                              Reference Number: 2013-10-102\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n\n Phone Number | 202-622-6500\n E-mail Address | TIGTACommunications@tigta.treas.gov\n Website        | http://www.treasury.gov/tigta\n\x0c                                                 HIGHLIGHTS\n\n\nIMPROVEMENTS ARE NEEDED TO                           processes or a plan to resume its critical\nENSURE TIMELY RESUMPTION OF                          functions after an emergency. Even when local\nCRITICAL BUSINESS PROCESSES                          site-specific continuity processes and plans\nAFTER AN EMERGENCY                                   were prepared, some of them did not contain all\n                                                     of the elements consistent with both Federal and\n                                                     IRS guidance.\nHighlights                                           Since August 2012, the IRS has not used a\n                                                     central repository for immediate access by\nFinal Report issued on                               management to continuity plans in the event of\nSeptember 24, 2013                                   an emergency. Also, continuity personnel\n                                                     responsible for updating and maintaining the\nHighlights of Reference Number: 2013-10-102          plans often changed jobs, and new personnel\nto the Internal Revenue Service Chief,               were not adequately trained to carry out all of\nAgency-Wide Shared Services.                         their responsibilities regarding continuity\n                                                     planning. Finally, the IRS did not perform\nIMPACT ON TAXPAYERS                                  sufficient testing and exercises as required to\nEffective continuity planning and emergency          validate recovery strategies and procedures or\npreparedness can facilitate the IRS\xe2\x80\x99s ability to     to adequately address weaknesses identified\nprepare for, respond to, and recover from            during continuity exercises to ensure the viability\nemergencies. The IRS needs to improve                of the continuity plan in the event of an\nselected aspects of its continuity program.          emergency.\nAbsent effective continuity planning, the IRS        WHAT TIGTA RECOMMENED\nmay be challenged to effectively collect taxes,\nissue refunds, and respond to taxpayer inquiries     TIGTA recommended that the Chief,\nafter an emergency occurs.                           Agency-Wide Shared Services, implement a\n                                                     process to ensure that the annual certification\nWHY TIGTA DID THE AUDIT                              requirement is met; ensure that continuity plans\nThis review is included in our Fiscal Year 2013      are immediately prepared for four business units\nAnnual Audit Plan and addresses the major            and that the existing continuity plan template is\nmanagement challenge of Security for Taxpayer        used by all business units and functional offices;\nData and Employees. The overall objective of         identify and monitor appropriate training to be\nthis review was to assess whether the IRS\xe2\x80\x99s          completed by field personnel responsible for\ncontinuity program will enable the IRS to resume     continuity planning; develop a plan that\ncritical functions in a timely manner.               establishes time frames for the implementation\n                                                     of a fully functioning continuity plan database;\nWHAT TIGTA FOUND                                     and establish a process to monitor the continuity\n                                                     tests and exercise program so that business unit\nThe IRS did not always demonstrate that its          personnel meet the annual requirements.\ncontinuity plan process would ensure that critical\nbusiness processes are resumed in a timely           In their response to the report, IRS management\nmanner. For example, the IRS did not meet the        agreed with all eight recommendations and\nFiscal Year 2012 annual reporting requirement        stated that they plan to take or have taken\nto the Department of the Treasury certifying its     corrective actions, including updating policies\ncontinuity capability plan. In addition, some        and monitoring training requirements.\ncontinuity plans were not prepared as required\nor were missing key information to facilitate the\nresumption of critical IRS operations. For\nexample, four of the 22 business units\xe2\x80\x99\nsystemwide continuity plans were not prepared.\nIn addition, one local office within a business\nunit did not have site-specific continuity\n\x0c                                           DEPARTMENT OF THE TREASURY\n                                                WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                         September 24, 2013\n\n\n MEMORANDUM FOR CHIEF, AGENCY-WIDE SHARED SERVICES\n\n\n FROM:                       Michael E. McKenney\n                             Acting Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 Improvements Are Needed to Ensure Timely\n                             Resumption of Critical Business Processes After an Emergency\n                             (Audit # 201210008)\n\n This report presents the results of our review to assess whether the Internal Revenue Service\xe2\x80\x99s\n (IRS) continuity plan program will enable the IRS to resume critical functions in a timely\n manner. This review is included in our Fiscal Year 2013 Annual Audit Plan and addresses the\n major management challenge of Security for Taxpayer Data and Employees.\n We would like to clarify one issue included in the IRS\xe2\x80\x99s response to our report. The response\n raised a concern with the validity of certain facts included in our report. Specifically, the IRS\n contended that information in Figure 4 in the report understates the Wage and Investment (W&I)\n Division\xe2\x80\x99s completion rate on tests and exercises. The IRS stated that documentation was\n submitted to the Treasury Inspector General for Tax Administration (TIGTA) prior to issuance\n of the report verifying that the required testing was 100 percent complete and that TIGTA\n refused to consider documentation that was submitted. We disagree with these statements.\n TIGTA requested and received information on continuity testing performed from four different\n business units, including the W&I Division, between November 2012 and January 2013.\n Between February 2013 and June 2013, TIGTA held multiple meetings with the IRS concerning\n audit findings and was not provided any additional information concerning the W&I Division\xe2\x80\x99s\n continuity testing documentation. On June 17, 2013, we issued a discussion draft report, giving\n the IRS another chance to submit additional information to clarify and correct findings which it\n believed were inaccurate.\n On June 27 and July 8, 2013, the IRS submitted additional information for consideration. As a\n result, we adjusted the draft report in cases where sufficient evidence was provided to justify a\n change. However, certain documents provided by the W&I Division did not justify changes to\n\x0c                    Improvements Are Needed to Ensure Timely Resumption\n                      of Critical Business Processes After an Emergency\n\n\n\nour report. For example, the documentation submitted as evidence of the alert notification and\nactivation test for the Brookhaven Campus contained the exact same names of participants listed\nas evidence of the same test for the Philadelphia Campus. The IRS later acknowledged that the\nBrookhaven and Philadelphia forms were inadvertently duplicated due to human error. Due to\nthose types of inaccuracies, we were unable to rely on some of the documentation submitted as\nevidence that 100 percent of the W&I Division\xe2\x80\x99s tests and exercises were completed.\nManagement\xe2\x80\x99s complete response to the draft report is included as Appendix IV\nCopies of this report are also being sent to the IRS managers affected by the report\nrecommendations. If you have any questions, please contact me or Gregory D. Kutz, Assistant\nInspector General for Audit (Management Services and Exempt Organizations).\n\n\n\n\n                                                                                              2\n\x0c                            Improvements Are Needed to Ensure Timely Resumption\n                              of Critical Business Processes After an Emergency\n\n\n\n\n                                            Table of Contents\n\nBackground .......................................................................................................... Page 1\n\nResults of Review ............................................................................................... Page 5\n          Systemwide Continuity Plans Were Not Prepared or\n          Lacked Sufficient Detail ............................................................................... Page 5\n                    Recommendations 1 through 4:......................................... Page 11\n\n          The Centralized Repository to Control Continuity Plans\n          Is Not Functioning As Intended .................................................................... Page 12\n                    Recommendations 5 and 6: .............................................. Page 13\n\n          More Comprehensive Testing and Exercises of\n          Continuity Plans Are Necessary ................................................................... Page 13\n                    Recommendation 7:........................................................ Page 15\n\n                    Recommendation 8:........................................................ Page 16\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................ Page 17\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................ Page 19\n          Appendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 20\n          Appendix IV \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ...................... Page 21\n\x0c        Improvements Are Needed to Ensure Timely Resumption\n          of Critical Business Processes After an Emergency\n\n\n\n\n                    Abbreviations\n\nBU            Business Unit\nFCD           Federal Continuity Directive\nIRS           Internal Revenue Service\nLB&I          Large Business and International\nNCPOC         National Continuity Point of Contact\nOCO           Office of Continuity Operations\nSB/SE         Small Business/Self-Employed\nTE/GE         Tax Exempt and Government Entities\nTIGTA         Treasury Inspector General for Tax Administration\nTSCC          Toolkit Suite Command Centre\nW&I           Wage and Investment\n\x0c                        Improvements Are Needed to Ensure Timely Resumption\n                          of Critical Business Processes After an Emergency\n\n\n\n\n                                             Background\n\nThe Internal Revenue Service (IRS) has an obligation to protect the Federal Government\xe2\x80\x99s tax\nadministration system. This system is made up of a network of critical business processes that\nhelp carry out the mission of the IRS during both normal and adverse conditions. Effective\ncontinuity planning and emergency preparedness can facilitate the IRS\xe2\x80\x99s ability to prepare for,\nrespond to, and recover from emergencies. These efforts include restoring critical IRS functions\nand providing human resources to support employee needs, which may involve approving\nalternative work schedules and personnel reassignments. When an emergency occurs, it is\nimportant to timely resume business operations because an extended disruption to IRS facilities\ncan affect key processes, such as collecting taxes, processing tax returns and refunds, and\nresponding to taxpayer inquiries. During Fiscal Year1 2011, the IRS reported that it processed\nalmost 235 million returns, of which more than 133 million were filed electronically. The IRS\nalso provided nearly $416 billion in refunds and collected more than $2.4 trillion in taxes. In\naddition, according to 2011 Filing Season statistics, there were nearly 323 million visits to IRS\nwebsites from January 1 through December 31, 2011. Any sustained disruption to IRS\noperations and offices could ultimately have a negative impact on the Nation\xe2\x80\x99s economy as well\nas taxpayer data and compliance.\nTo facilitate the performance of critical functions in emergency situations, the Federal\nGovernment established policies that provide direction to Federal agencies for continuity\nplanning and programs. In May 2007, the President issued National Security Presidential\nDirective 51 to establish and maintain a comprehensive and effective national continuity\ncapability to ensure the continuing performance of national essential functions under all\nconditions. To provide additional operational guidance to implement this policy, the\nU.S. Department of Homeland Security developed Federal Continuity Directives (FCD) 1 and 2.2\nThis guidance provides direction for developing continuity plans and programs as well as the\nidentification of agency essential functions. To provide planning guidance to implement these\npolicies, in Calendar Year 2009, the Department of Homeland Security also developed FCD 3,\n\n\n1\n  A 12-consecutive-month period ending on the last day of any month. The Federal Government\xe2\x80\x99s fiscal year begins\non October 1 and ends on September 30.\n2\n  FCD 1 describes the key elements of a viable continuity capability and the importance of coordinating with\nnon-Federal organizations to establish and maintain a comprehensive and effective national continuity capability.\nFCD 2 provides implementation guidelines for the requirements identified in FCD 1. It provides direction and\nguidance to Federal entities for identifying their mission-essential functions and potential primary mission-essential\nfunctions. Primary mission-essential functions represent a subset of agency-level mission-essential functions that\nmust be performed to support the performance of the national essential function before, during, and after an\nemergency; whereas, mission-essential functions are activities that enable the IRS to provide vital services, exercise\ncivil authority, maintain public safety, and sustain the industrial and economic base during an emergency.\n                                                                                                              Page 1\n\x0c                           Improvements Are Needed to Ensure Timely Resumption\n                             of Critical Business Processes After an Emergency\n\n\n\nwhich provides a continuity plan template that agencies may use to establish continuity plans and\nprograms. Although the template is voluntary, it addresses each of the elements and\nrequirements found in FCDs 1 and 2. In July 2009, the IRS created the Toolkit Suite Command\nCentre (TSCC) to serve as a central storage point for all IRS continuity plans and provide easy\naccess as needed during an emergency.\nThe IRS is required to submit an annual report to the Department of the Treasury certifying that\nit has a continuity capability3 plan which ensures its ability to continually perform its\nmission-essential functions. IRS guidance calls for senior management responsible for IRS\nbusiness, operational, and functional units to ensure continuity plans are developed, exercised,\nmaintained, and updated. The IRS must also ensure that key leaders and support staff are trained\non IRS mission-essential functions as well as conduct comprehensive testing of its continuity\nplans. The entire continuity plan must be reviewed annually and updated accordingly. IRS\nguidance also requires the development of a separate continuity plan for each of its 22 business\nunits (BU).4 In addition, several process recovery and subplans are also maintained for various\nlocations and offices within those 22 BUs throughout the IRS. Figure 1 lists the IRS\xe2\x80\x99s 22 BUs\nthat are required to have a continuity plan.\n                                     Figure 1: List of the IRS\xe2\x80\x99s 22 BUs\n\n    Affordable Care Act           Agency-Wide Shared          Appeals Office                Chief Counsel\n    Program Office                Services\n\n    Chief Financial Office        Communications and          Criminal Investigation        Equity, Diversity, and\n                                  Liaison                                                   Inclusion\n\n    Human Capital Office          Information                 Large Business and            Office of Compliance\n                                  Technology                  International (LB&I)          Analytics\n                                                              Division\n\n    Office of Online              Office of Professional      Privacy, Governmental         Research, Analysis, and\n    Services                      Responsibility              Liaison, and Disclosure       Statistics\n\n    Return Preparer Office        Small Business/             Tax Exempt and                Taxpayer Advocate\n                                  Self-Employed               Government Entities           Service\n                                  (SB/SE) Division            (TE/GE) Division\n\n    Wage and Investment           Whistleblower Office\n    (W&I) Division\nSource: Treasury Inspector General for Tax Administration\xe2\x80\x99s (TIGTA) analysis of the IRS\xe2\x80\x99s BUs list.\n\n\n\n3\n    The IRS continuity capability refers to its ability to perform its mission-essential functions continuously.\n4\n    The term used to include IRS business operating divisions as well as its principle, functional, and project offices.\n                                                                                                                   Page 2\n\x0c                              Improvements Are Needed to Ensure Timely Resumption\n                                of Critical Business Processes After an Emergency\n\n\n\nIn prior audits, TIGTA identified weaknesses in the IRS\xe2\x80\x99s emergency planning processes. For\nexample, in Fiscal Year 2011, TIGTA performed a review5 to determine whether the IRS\nadequately prepared for and took the necessary actions to protect its employees, taxpayer data,\nand Government property following the intentional flying of an airplane into an IRS building.\nAlthough the Fiscal Year 2011 review showed that the IRS took the necessary actions to\nevacuate and protect IRS employees, emergency planning was incomplete. Specifically, we\nfound that none of the business resumption plans for the eight BUs located at the IRS building\nincluded all of the required elements. A similar condition was also reported in a Fiscal\nYear 2008 audit6 in which we found that IRS business resumption plans were not adequately\ncompleted, lacked detailed planning, and would not facilitate the efficient recovery of critical\nbusiness operations.\nIn March 2011, under the administration of the Office of Physical Security and Emergency\nPreparedness, the IRS agreed to the development of a Continuity Improvement Plan. In\nJanuary 2012, the Office of Continuity Operations (OCO) was established to manage and\nprovide oversight of the IRS\xe2\x80\x99s continuity program. Figure 2 illustrates the placement of the\nnewly created OCO within the IRS.\n                              Figure 2: Placement of the Newly Created OCO\n\n                IRS Commissioner\n\n\n    Deputy Commissioner for Operations Support\n\n\n                                        Agency-Wide Shared Services\n\n\n                                                                      Employee Support Services\n\n\n                                                                                                  Office of Continuity Operations\n\nSource: TIGTA\xe2\x80\x99s analysis of the OCO\xe2\x80\x99s organizational structure.\n\nTo further support the IRS\xe2\x80\x99s continuity program, each BU designated at least one staff person to\nserve as its National Continuity Point of Contact (NCPOC). The NCPOCs are primarily\nresponsible for ensuring that each BU is properly prepared and ready to respond should a\nsignificant incident occur.\n\n\n\n5\n  TIGTA, Ref. No. 2011-10-098, The Internal Revenue Service Adequately Prepared for and Responded to the\nAustin Incident (Sept. 2011).\n6\n  TIGTA, Ref. No. 2008-20-178, Weaknesses in Business Resumption Plans Could Delay Recovery From a Disaster\n(Sept. 2008).\n                                                                                                                                    Page 3\n\x0c                      Improvements Are Needed to Ensure Timely Resumption\n                        of Critical Business Processes After an Emergency\n\n\n\nWe performed on-site audit work at the IRS OCO Headquarters in Washington, D.C.,\nand at the local field offices of the W&I Division in Kansas City, Missouri; LB&I Division in\nNew York City, New York; SB/SE Division in Ogden, Utah; and TE/GE Division in\nWashington, D.C., during the period August through December 2012. Another TIGTA audit\nreported7 on the IRS\xe2\x80\x99s disaster recovery testing to recover major computing systems; therefore,\nwe did not perform any information technology audit work at the Martinsburg, West Virginia, or\nMemphis, Tennessee, Computing Centers. We conducted this performance audit in accordance\nwith generally accepted government auditing standards. Those standards require that we plan\nand perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for\nour findings and conclusions based on our audit objective. We believe that the evidence\nobtained provides a reasonable basis for our findings and conclusions based on our audit\nobjective. Detailed information on our audit objective, scope, and methodology is presented in\nAppendix I. Major contributors to the report are listed in Appendix II.\n\n\n\n\n7\n TIGTA, Ref. No. 2012-20-041, Disaster Recovery Testing Is Being Adequately Performed, but Problem Reporting\nand Tracking Can Be Improved (May 2012).\n                                                                                                     Page 4\n\x0c                          Improvements Are Needed to Ensure Timely Resumption\n                            of Critical Business Processes After an Emergency\n\n\n\n\n                                        Results of Review\n\nSystemwide Continuity Plans Were Not Prepared or Lacked Sufficient\nDetail\nThe IRS did not submit an annual report to the Department of the Treasury certifying that it has a\ncontinuity capability plan as required. In addition, not all IRS BUs prepared a systemwide\ncontinuity plan, and none of the local site-specific continuity processes and plans we reviewed\nwere created or maintained in the TSCC so that they would be immediately available for\nmanagement during an emergency. Finally, adequate testing was not performed to ensure the\nviability of continuity plans.\n\nThe IRS did not submit its annual continuity certification report to the Department\nof the Treasury\nThe IRS did not meet the Department of the Treasury\xe2\x80\x99s annual reporting requirement certifying\nits continuity capability plan for Fiscal Year 2012. According to FCD 1, Federal Government\nexecutive agencies are to annually submit a report to the National Continuity Coordinator\ncertifying that the agency has a continuity capability plan. This guidance also provides key\nquestions and measurements to use to certify that their organizations have a robust continuity\ncapability. To facilitate this requirement within the IRS, the Internal Revenue Manual8 requires\nthe IRS to submit an annual report to the Department of the Treasury certifying that it has a\ncontinuity capability plan that includes all the necessary requirements. OCO management did\nnot provide any documentation or specific reason why the annual reporting requirement to the\nDepartment of the Treasury was not met.\n\nContinuity plans for some IRS BUs were not prepared\nWe found that four of the 22 current systemwide continuity plans were not prepared.\nSpecifically, the four BUs are:\n      \xef\x82\xb7    Return Preparer Office: Responsible for registration, testing, and suitability of Federal\n           tax preparers.\n      \xef\x82\xb7    Office of Online Services: Responsible for delivering strategy, policy, and initiatives to\n           strengthen the IRS online services experience.\n\n\n\n8\n    Internal Revenue Manual 10.2.10.2.1 (Sept. 25, 2008).\n                                                                                               Page 5\n\x0c                        Improvements Are Needed to Ensure Timely Resumption\n                          of Critical Business Processes After an Emergency\n\n\n\n    \xef\x82\xb7    Affordable Care Act Program Office: Responsible for implementing tax provisions for\n         Affordable Care Act legislation.9\n    \xef\x82\xb7    Office of Compliance Analytics: Responsible for strategic compliance priorities.\nInternal Revenue Manual 10.2.10.10.2.3, Senior Management/Executives, states that IRS\nmanagement responsible for a business, operating, or functional units should ensure that\ncontinuity plans are developed, exercised, implemented, and maintained. In addition, at a\nminimum, the entire continuity plan is to be reviewed annually and updated accordingly. OCO\nmanagement stated that the reason continuity plans were not prepared for these four BUs was\nbecause they were fairly new and three of the BUs were given verbal extensions to submit their\ncontinuity plans by the end of Calendar Year 2013. However, management could not provide\nany documentation to support that a verbal extension was granted. In addition, we found that all\nfour BUs have been in existence for nearly two years. The absence of a continuity plan increases\nthe risk that the four IRS BUs will be unable to resume their critical functions following an\nemergency.\n\nContinuity plans for some IRS BUs were incomplete\nDuring our review of systemwide continuity plans for the four BUs selected, we found that\ncontinuity plans for two of the four BUs were incomplete.10 Specifically, the LB&I and TE/GE\nDivisions\xe2\x80\x99 plans failed to include sufficient detail and all of the required elements prescribed in\nthe IRS\xe2\x80\x99s standard continuity plan template. For example, the two continuity plans provided\nlimited details above the preformatted language contained in the standard template regarding\ntheir essential functions and plans for resuming their business processes. Both plans stated that\nemergency conditions may require the relocation of staff to a continuity facility; however, the\nplans failed to identify the alternate continuity facilities and continuity communications, which\ninclude systems and information technology capabilities to support connectivity among key\nGovernment leadership. In addition, the two plans did not identify the vital records needed by\nthe employees to perform their duties or document key details and recovery strategies.\nFurthermore, the LB&I and TE/GE Divisions\xe2\x80\x99 systemwide plans did not identify delegation of\nauthorities, which are critical in providing the legal authority for management to make key\npolicy decisions during an emergency. Figure 3 identifies the required key elements that we\ndetermined were both complete and incomplete for the four systemwide continuity plans\nreviewed.\n\n\n\n9\n  Pub. L. No. 111-148, 124 Stat. 119 (2010) (codified as amended in scattered section of the U.S. Code), as amended\nby the Health Care and Education Reconciliation Act of 2010, Pub. L. No. 111-152, 124 Stat. 1029.\n10\n   The results of our detailed review of systemwide continuity plans for the four BUs cannot be projected beyond\nthose four BUs. A judgmental sample is a nonstatistical sample, the results of which cannot be used to project to the\npopulation.\n                                                                                                             Page 6\n\x0c                           Improvements Are Needed to Ensure Timely Resumption\n                             of Critical Business Processes After an Emergency\n\n\n\n                       Figure 3: Incomplete Systemwide Continuity Plans11\n\n                                                      W&I             SB/SE             LB&I             TE/GE\n     Key Continuity Plan Elements                    Division        Division          Division          Division\n     Essential Functions                            Complete        Complete          Incomplete        Incomplete\n     Orders of Succession                           Complete        Complete          Complete           Complete\n     Delegation of Authorities                      Complete        Complete          Incomplete        Incomplete\n     Continuity Facilities                          Complete        Complete          Incomplete        Incomplete\n     Continuity Communications                      Complete        Complete          Incomplete        Incomplete\n     Vital Records                                  Complete        Complete          Incomplete        Incomplete\n     Human Capital                                  Complete        Complete          Complete           Complete\n     Tests, Training, and Exercises                 Complete        Complete          Complete           Complete\n     Devolution                                     Complete        Complete          Complete           Complete\n     Reconstitution                                 Complete        Complete          Complete           Complete\n Source: TIGTA\xe2\x80\x99s analysis of the systemwide continuity plans for the four BUs we reviewed.\n\nFCDs 1 and 2 guidelines call for continuity plans to be developed and documented so that, when\nimplemented, the plans and procedures will provide for the continued performance of an\norganization\xe2\x80\x99s essential functions under all circumstances. Among other required elements,\nthese plans should include a description of prioritized mission-essential functions, critical\nactivities, and identification and safekeeping of vital records. Further, Internal Revenue Manual\n10.2.10.8, Continuity Plan Content and Format,12 calls for the development of a standardized\ncontinuity plan template that must be used by all business, operating, and functional units when\npreparing, updating, or creating a continuity plan. Consequently, in June 2009, the IRS created a\nmandatory systemwide continuity plan template to be used by the BUs, which addressed each of\nthe elements and requirements found in FCDs 1 and 2. We determined that the continuity plans\nwere to address the following key elements:\n       \xef\x82\xb7   Essential Functions \xe2\x80\x93 identifies each BU\xe2\x80\x99s prioritized mission-essential functions, which\n           are a limited set of agency-level Government functions that must be continued throughout\n           or resumed rapidly after a disruption of normal activities.\n       \xef\x82\xb7   Orders of Succession \xe2\x80\x93 addresses current orders of succession to the BU head and key\n           positions, such as administrators, directors, and key managers within the BU.\n\n\n11\n     Incomplete indicates the plan did not include information to address the specific continuity element as required.\n12\n     Internal Revenue Manual 10.2.10.8 (Sept. 25, 2008).\n                                                                                                                 Page 7\n\x0c                    Improvements Are Needed to Ensure Timely Resumption\n                      of Critical Business Processes After an Emergency\n\n\n\n   \xef\x82\xb7   Delegations of Authority \xe2\x80\x93 identifies the legal authority for individuals to make key\n       policy decisions during a continuity situation.\n   \xef\x82\xb7   Continuity Facilities \xe2\x80\x93 identifies alternate uses of existing facilities or virtual offices, for\n       the relocation of key leaders and staff, located where the potential disruption of the BU\xe2\x80\x99s\n       ability to initiate and sustain operations is minimized.\n   \xef\x82\xb7   Continuity Communications \xe2\x80\x93 identifies critical communications and information\n       technology to support connectivity among key Government leadership, internal and other\n       BUs, critical customers, and the public during crisis and disaster conditions.\n   \xef\x82\xb7   Vital Records \xe2\x80\x93 identifies electronic and hardcopy documents, references, and records\n       that are needed to support essential functions during a continuity situation.\n   \xef\x82\xb7   Human Capital \xe2\x80\x93 focuses on BU continuity personnel and all other special categories of\n       employees who have not been designated as continuity personnel.\n   \xef\x82\xb7   Tests, Training, and Exercises \xe2\x80\x93 identifies measures to ensure that an agency\xe2\x80\x99s\n       continuity plan is capable of supporting the continued execution of the agency\xe2\x80\x99s essential\n       functions throughout the duration of a continuity situation.\n   \xef\x82\xb7   Devolution of Control and Direction \xe2\x80\x93 addresses the full spectrum of threats and events\n       that may render a BU\xe2\x80\x99s leadership or staff unavailable to support or execute the BU\xe2\x80\x99s\n       essential functions from either its primary or continuity locations.\n   \xef\x82\xb7   Reconstitution \xe2\x80\x93 identifies a plan to return to normal operations once BU heads or their\n       successors determine resuming normal business operations can be initiated.\nWe attribute the missing elements and lack of sufficient detail included in the continuity plans to\norganizational changes, lack of oversight, and inadequate training and guidance. Since Calendar\nYear 2011, the NCPOCs responsible for updating and maintaining these two systemwide\ncontinuity plans have changed. According to one NCPOC, no continuity plan guidance or\ninstructions were provided by the OCO. Furthermore, another NCPOC responsible for drafting\nthe BU\xe2\x80\x99s systemwide plan stated that she has not received any formal continuity training since\nMarch 2011. Even in situations in which staffing changes occur frequently, all appropriate staff\nmust be adequately trained. If proper training does not occur, continuity personnel may be\nunable to fulfill their responsibilities and duties in an emergency situation.\n\nLocal site-specific continuity processes and plans were not prepared in a format\nconsistent with the prescribed guidance and were missing key information\nWe found that the local site-specific processes and continuity plans for three of four offices we\nvisited were not prepared in the standardized format and did not contain all information\nconsistent with Federal and IRS guidance. For the remaining office, we determined that TE/GE\nDivision management had not prepared a site-specific continuity process and plan for its\n\n                                                                                                Page 8\n\x0c                        Improvements Are Needed to Ensure Timely Resumption\n                          of Critical Business Processes After an Emergency\n\n\n\nWashington, D.C., office. Instead, TE/GE Division management used the overall TE/GE\nDivision\xe2\x80\x99s systemwide plan for its local continuity plan. However, we found that TE/GE\nDivision\xe2\x80\x99s systemwide plan did not include specific details that would facilitate the resumption\nof key business operations nor any site-specific processes and information for the local\nWashington, D.C., office. In assessing the ability of the IRS to resume key business operations\nat its local offices, we visited four local BU offices and reviewed the site-specific continuity\nprocesses and plan for each location. Specifically, we reviewed the W&I Division\xe2\x80\x99s plans for\nthe Kansas City Campus,13 the SB/SE Division\xe2\x80\x99s plans for the Ogden Campus, and the LB&I\nDivision\xe2\x80\x99s plan for the New York City field office14\nThrough a comparison of the IRS\xe2\x80\x99s standardized template and the local site-specific processes\nand plans, we found that the information contained in the old business resumption plans that\nwere being used by the Kansas City and Ogden Campuses along with the New York City field\noffice\xe2\x80\x99s plan lacked several of the key elements included in both the Department of Homeland\nSecurity and IRS guidelines. Specifically, the continuity plans completed for the three local\noffices were incomplete and lacked many of the following key elements:\n     \xef\x82\xb7   Orders of Succession.\n     \xef\x82\xb7   Delegation of Authorities.\n     \xef\x82\xb7   Continuity Facilities.\n     \xef\x82\xb7   Continuity Communications.\n     \xef\x82\xb7   Tests, Training, and Exercises.\n     \xef\x82\xb7   Devolution.\n     \xef\x82\xb7   Reconstitution.\nInternal Revenue Manual 10.2.10.5, Requirements for Continuity Plans and Procedures, states\nthat the key elements of continuity that shall be addressed include: mission-essential functions;\norders of succession; delegations of authority; continuity facilities; continuity communications\nsystems; vital records; human capital; test, training, and exercises; devolution; and reconstitution.\nIn addition, in January 2012, IRS Agency-Wide Shared Services management issued written\nguidance, Fiscal Year 2012 IRS Continuity Program Requirements, to facilitate effective\nbusiness continuity planning and help ensure that the standard continuity plan template is used to\nmeet all required elements on an annual basis.\n\n\n\n\n13\n   There are 10 IRS campuses across the country that provide customer service to taxpayers by responding to\ntaxpayer questions and helping them understand and meet their tax responsibilities.\n14\n   See Appendix I for details on why we selected these BU locations.\n                                                                                                              Page 9\n\x0c                       Improvements Are Needed to Ensure Timely Resumption\n                         of Critical Business Processes After an Emergency\n\n\n\nWe found that the local plans were incomplete due in part to the local IRS campus and field\noffice staff being unaware of the IRS\xe2\x80\x99s standardized template and using their old business\nresumption plan format for several years. We also found that local officials did not receive any\nrecent training related to the preparation and testing of their local plans. Further, the OCO has\nnot prepared detailed guidance and procedures to assist local officials responsible for continuity\nplanning, nor is there a formal review and approval process for continuity plans. In addition, the\nTE/GE Division\xe2\x80\x99s continuity staff thought that its systemwide plan covered its local\nHeadquarters office in Washington, D.C.\nWe determined that although the Fiscal Year 2012 IRS Continuity Program Requirements\nincluded continuity testing and exercise requirements, it did not provide a process for the training\nof staff responsible for drafting continuity plans. Through interviews, we learned that several\nstaff responsible for managing and drafting plans at the locations we visited were not properly\ntrained. In addition, several key staff at three of the four local BUs we visited had not been\nprovided or participated in any formalized continuity training. For example, an IRS staff person\nat one campus location confirmed that she did not receive any instructions, written guidance, or\ntraining on how to prepare a continuity plan and, absent the use of another division\xe2\x80\x99s continuity\nplan, would not have known where to go, where to look, and what information to include in the\nplan. Staff at one field office site located in the area affected by Hurricane Sandy received\ncopies of a prior continuity plan from a co-worker who previously held the same position to use\nas a guide and had not received any guidance on preparing a continuity plan.\nIn response to the impact of Hurricane Sandy15 on the LB&I Division\xe2\x80\x99s Midtown office, we\nobtained its Employee Reporting Form dated November 7, 2012, to determine whether or not the\nMidtown office was able to account for its employees as part of its continuity process.\nAccording to this report, the LB&I Division was able to account for all of its employees as of\nthat date.\nAccording to the OCO\xe2\x80\x99s November 2012 Quarterly Report on NCPOC Training, only three of\nthe 47 NCPOCs have completed all four of the introductory continuity planning courses offered\nthrough the IRS\xe2\x80\x99s training website. Aside from the quarterly report, OCO management has no\ncentralized tracking system to monitor the training courses continuity planning personnel\ncomplete. IRS OCO management stated that it is the responsibility of the NCPOCs to monitor\napplicable training for personnel involved in continuity planning. However, only the NPOCs for\ntwo of the four BUs we reviewed were able to provide us with comprehensive lists of training\ncompleted by staff involved in continuity planning for their respective BUs.\nIncomplete and inaccurate documentation of the recovery procedures and strategies in IRS\ncontinuity plans may impede the recovery of critical tax administration processes.\n\n\n15\n   Hurricane Sandy, which reached New York City on October 29, 2012, was the deadliest and most destructive\ntropical cyclone of the 2012 Atlantic hurricane season and the second-costliest hurricane in U.S. history.\n                                                                                                       Page 10\n\x0c                    Improvements Are Needed to Ensure Timely Resumption\n                      of Critical Business Processes After an Emergency\n\n\n\nRecommendations\nThe Chief, Agency-Wide Shared Services, should:\nRecommendation 1: Implement a process to ensure that the annual reporting requirement to\nthe Department of the Treasury certifying its continuity capability plan is met.\n       Management\xe2\x80\x99s Response: IRS management agreed with this recommendation and\n       will ensure that updates to Internal Revenue Manual 10.6.1, Continuity Operations \xe2\x80\x93\n       Continuity Planning Requirements, will be completed once the Department of the\n       Treasury has defined and issued the official reporting requirements for certifications at\n       the bureau level. They will then establish and implement a process to ensure that the\n       annual reporting requirement of its continuity plan is met.\nRecommendation 2: Ensure that systemwide continuity plans are immediately prepared for\nthe Affordable Care Act Program Office, the Return Preparer Office, the Office of Compliance\nAnalytics, and the Office of Online Services.\n       Management\xe2\x80\x99s Response: IRS management agreed with this recommendation and\n       stated that continuity plans were prepared for the Affordable Care Act Program Office,\n       the Return Preparer Office, and the Office of Online Services. Further research showed\n       that the Office of Compliance Analytics was added as a component of the\n       Commissioner\xe2\x80\x99s Complex in 2011 and is therefore included in their overall continuity\n       plan.\nRecommendation 3: Ensure that the existing IRS continuity plan template is current and\nused by all BUs and local offices.\n       Management\xe2\x80\x99s Response: IRS management agreed with this recommendation and\n       will review and update the continuity plan template and communicate the mandatory use\n       of the template to all affected BUs and local offices.\nRecommendation 4: Identify appropriate training that should be completed by field\npersonnel responsible for continuity planning activities and establish an effective monitoring\nprocess to ensure that training is completed.\n       Management\xe2\x80\x99s Response: IRS management agreed with this recommendation and\n       will identify appropriate training required to be completed by field personnel responsible\n       for continuity planning. The IRS will also establish an effective monitoring process to\n       ensure that required training is completed.\n\n\n\n\n                                                                                           Page 11\n\x0c                    Improvements Are Needed to Ensure Timely Resumption\n                      of Critical Business Processes After an Emergency\n\n\n\n\nThe Centralized Repository to Control Continuity Plans Is Not\nFunctioning As Intended\nWe determined that none of the local continuity plans we reviewed were created or maintained in\nthe TSCC. In addition, most of the personnel at the campuses and field offices we visited\nresponsible for continuity planning were unaware of the existence of the TSCC. Those who\nwere familiar with the system confirmed that the system was rarely used.\nSince July 2009, the TSCC has been designated as the repository database for IRS continuity\npersonnel to create and store IRS continuity plans and other related documents. Agency-Wide\nShared Services\xe2\x80\x99 August 2010 IRS Continuity Program Requirements called for BU staff to input\ntheir continuity plans into the TSCC. Since that time, systemwide continuity plans have been\nmaintained and updated within the system. Currently, the OCO is responsible for maintaining\nthe TSCC and ensuring that it contains all plans. However, we determined that the TSCC is\ncurrently not being used to house and track continuity planning documents. Consequently, OCO\nmanagement does not have the necessary management information available in a centralized\nlocation to assist in continuity planning if a serious incident occurs.\nAlthough the Fiscal Year 2012 IRS Continuity Program Requirements provides for the\ndevelopment and update of continuity plans using the standard template to ensure that all\nrequired elements are met annually, the guidance did not require the use of the TSCC as a\nmanagement tool for IRS continuity plans. OCO management stated that there have been\nnumerous complaints about the functionality of the system, and the NCPOCs in one BU stated\nthat the TSCC is not user friendly and is unable to generate useful reports by users. As a result,\nOCO management stated that they have not directed BU personnel to create or update continuity\nplans in the TSCC since August 2012.\nOCO management indicated that in March 2012 a technology specialist was assigned to review\nthe TSCC application for improvements. In August 2012, OCO personnel informed us that they\nexpected a new version of the TSCC to be completed and available for use in April 2013.\nHowever, in April 2013, the OCO confirmed that although progress has been made, it does not\nexpect a major part of its system reconfiguration process to be complete until June or July 2013\ndue to the lack of funding. The OCO further stated that once the reconfiguration process is\ncompleted, the next steps will be to migrate all of the remaining BUs to the TSCC.\nConsequently, the OCO was unable to provide an alternative or tentative release date for the new\nversion of the TSCC. Until the OCO rolls out a new centralized repository system or makes\nimprovements to the existing TSCC, the IRS will not have a central location for immediate\naccess to all BU continuity plans in the event of an emergency.\n\n\n\n\n                                                                                           Page 12\n\x0c                    Improvements Are Needed to Ensure Timely Resumption\n                      of Critical Business Processes After an Emergency\n\n\n\n\nRecommendations\nThe Chief, Agency-Wide Shared Services, should:\nRecommendation 5: Develop a plan that establishes the actions and time frames for the\nimplementation of a centralized working database for continuity plan tracking. In the interim,\nmanagement should ensure that all current continuity plans are obtained from BU personnel and\nmaintained for immediate reference.\n       Management\xe2\x80\x99s Response: IRS management agreed with this recommendation and\n       will develop a plan and time frame for implementation of a centralized working database\n       in the TSCC for continuity plan tracking. IRS management will also ensure that all\n       current continuity plans are obtained from BU personnel and maintained for immediate\n       reference.\nRecommendation 6: Develop and issue written procedures requiring necessary personnel to\ncreate and update future continuity plans on the TSCC when the system is fully functional.\n       Management\xe2\x80\x99s Response: IRS management agreed with this recommendation and\n       will ensure development and issuance of written procedures requiring personnel to create\n       and update future continuity plans within the TSCC.\n\nMore Comprehensive Testing and Exercises of Continuity Plans Are\nNecessary\nWe determined that continuity testing was not comprehensive enough to ensure that IRS\nmanagement could effectively resume critical operations in an emergency situation. In addition,\nwe determined that deficiencies identified during continuity exercises have not been adequately\naddressed. Conducting continuity tests and exercises is critical to ensuring the viability of\nestablished continuity plans. Our review of the testing and exercises completed in Fiscal\nYear 2012 showed that the BUs participated in some of the following tests and exercises:\n   \xef\x82\xb7   Calling Tree Notifications \xe2\x80\x93 tests the accuracy and completeness of the organization\xe2\x80\x99s\n       management and employees\xe2\x80\x99 contact information and the procedures for reaching them\n       timely.\n   \xef\x82\xb7   Alert, Notification, and Activation Tests \xe2\x80\x93 tests procedures to timely alert, notify, and\n       activate recovery team members and validate the accuracy and completeness of their\n       contact information.\n   \xef\x82\xb7   Communication Systems and Equipment Tests \xe2\x80\x93 tests to ensure that emergency\n       communications systems, equipment, and procedures are kept in a constant state of\n       readiness.\n\n                                                                                          Page 13\n\x0c                          Improvements Are Needed to Ensure Timely Resumption\n                            of Critical Business Processes After an Emergency\n\n\n\n     \xef\x82\xb7     Tabletops Exercises \xe2\x80\x93 tests discussion-based exercises to ensure that each IRS\n           organization\xe2\x80\x99s senior team is knowledgeable of their continuity roles, responsibilities, and\n           plans and procedures.\n     \xef\x82\xb7     Relocation Exercises \xe2\x80\x93 tests executive leadership\xe2\x80\x99s readiness to respond and the ability\n           to continue or resume essential or critical operations at alternate locations.\n     \xef\x82\xb7     Integrated Functional Exercises \xe2\x80\x93 tests the capability to continue its mission-essential\n           functions within recovery time objectives.\nDuring our audit, two of the four BUs we reviewed completed all their planned tests and\nexercises in Fiscal Year 2012. Figure 4 shows the types and number of tests and exercises\ncompleted in Fiscal Year 2012:\n         Figure 4: Fiscal Year 2012 Tests and Exercises Completed 16 for Four BUs\n\n                                 Alert,\n              Calling Tree    Notification,   Communication                                   Integrated\n              Notification   and Activation     Systems and        Tabletop     Relocation    Functional     Totals and\n     BU          Tests           Tests        Equipment Tests      Exercises    Exercises      Exercises     Percentages\n\n W&I                                                                                                           14 of 23\n                 0 of 1         7 of 13             3 of 3           0 of 0       0 of 1         4 of 5\n Division                                                                                                       (61%)\n\n SB/SE                                                                                                           9 of 9\n                 1 of 1          4 of 4             3 of 3           0 of 0       0 of 0         1 of 1\n Division                                                                                                       (100%)\n\n LB&I                                                                                                           3 of 8\n                 0 of 1          2 of 4             1 of 3           0 of 0       0 of 0         0 of 0\n Division                                                                                                       (38%)\n\n TE/GE                                                                                                           9 of 9\n                 1 of 1          4 of 4             3 of 3           1 of 1       0 of 0         0 of 0\n Division                                                                                                       (100%)\nSource: TIGTA\xe2\x80\x99s analysis of Agency-Wide Shared Service\xe2\x80\x99s Fiscal Year 2012 Test and Exercise Compliance\nTracking information for IRS BUs.\n\nOf the four local offices we visited, only one location participated in a required annual tabletop\nexercise in Fiscal Year 2012. We also determined that the continuity exercises performed at the\nsites were either not documented in an After Action Report17 as required or the deficiencies\nidentified were not adequately addressed. For example, an After Action Report was not drafted\nas required for the tabletop exercise conducted in Fiscal Year 2012 for the TE/GE Division.\n\n\n\n16\n   Figure 4 exhibits the aggregate total of tests and exercises, which includes those completed by local offices and\ncampuses within the four BUs reviewed.\n17\n   A document that captures a review of the effectiveness of continuity plans and procedures and the identification of\nareas for improvement.\n                                                                                                             Page 14\n\x0c                        Improvements Are Needed to Ensure Timely Resumption\n                          of Critical Business Processes After an Emergency\n\n\n\nBoth FCD 1 and Internal Revenue Manual18 guidelines require the development and maintenance\nof a continuity test, training, and exercise program for conducting and documenting activities to\nprepare personnel for the continuation of the performance of the IRS\xe2\x80\x99s mission-essential\nfunctions. These activities are to be performed annually and are essential to demonstrating,\nassessing, and improving the ability of the IRS to execute its continuity program, plans, and\nprocedures.\nAgency-Wide Shared Services\xe2\x80\x99 Fiscal Year 2012 IRS Continuity Program Requirements called\nfor BUs to quarterly report and update a designated SharePoint19 site to reflect the schedule and\ncompletion of their continuity tests and exercises. OCO management uses this SharePoint site to\nmonitor the status and completion of BU testing and exercises. OCO personnel are responsible\nfor coordinating the overall continuity testing and exercise schedule for the BUs.\nExcept for staff at one local office who participated in a continuity exercise in Fiscal Year 2012,\nwe found that a number of personnel involved in drafting and updating continuity plans at the\nremaining three locations have either never participated in an exercise or participated in\nexercises earlier than Fiscal Year 2012. Consequently, guidance set forth in FCD 1 and the\nInternal Revenue Manual pertaining to the annual exercise requirement was not always followed.\nFor example, the LB&I Division\xe2\x80\x99s staff stated that they participate in tabletop exercises every\ntwo years but do not participate in integrated functional exercises. In addition, TE/GE Division\xe2\x80\x99s\ncontinuity staff stated that they participated in both a tabletops and an integrated functional\nexercise in June 2012 but did not know why the June exercise was omitted from the training\nrecords maintained on the SharePoint site. OCO management stated that all BUs are required to\nparticipate in tabletops and integrated functional exercises and are required to keep all test and\nexercise records current.\nContinuity test and exercise activities validate the recovery strategies, assumptions, and\nprocedures against likely disasters or emergency events. However, if adequate continuity testing\nis not performed or testing deficiencies are not effectively addressed, there is an increased risk\nthat the IRS will be unable to effectively and timely resume critical business processes.\n\nRecommendations\nThe Chief, Agency-Wide Shared Services, should:\nRecommendation 7: Establish a process to monitor the continuity testing and exercise\nprogram to ensure that an adequate number of exercises are available so that BU continuity\npersonnel meet the annual testing and exercise requirements.\n\n\n\n18\n  Internal Revenue Manual 10.2.10.6.8 (Sept. 25, 2008).\n19\n  The IRS intranet website designed for workgroup collaboration and for sharing files where access should be\nlimited.\n                                                                                                         Page 15\n\x0c                    Improvements Are Needed to Ensure Timely Resumption\n                      of Critical Business Processes After an Emergency\n\n\n\n       Management\xe2\x80\x99s Response: IRS management agreed with this recommendation and\n       will establish a process to monitor the continuity testing and exercise program. IRS\n       management further stated that in consideration of budget constraints, annual testing and\n       exercises will be conducted to the best of their ability as alternative methods of meeting\n       the requirements are implemented.\nRecommendation 8: Establish a process to monitor deficiencies identified during continuity\nexercises to ensure that weaknesses are addressed as appropriate.\n       Management\xe2\x80\x99s Response: IRS management agreed with this recommendation and\n       will establish a process to monitor deficiencies identified during continuity exercises to\n       ensure that weaknesses are addressed as appropriate.\n\n\n\n\n                                                                                           Page 16\n\x0c                           Improvements Are Needed to Ensure Timely Resumption\n                             of Critical Business Processes After an Emergency\n\n\n\n                                                                                                      Appendix I\n\n            Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to assess whether the IRS\xe2\x80\x99s continuity plan program will\nenable the IRS to resume critical functions in a timely manner. To accomplish our objective, we:\nI.         Obtained and reviewed guidance and criteria regarding continuity plans.\n           A. Obtained and reviewed Federal, U.S. Department of Homeland Security, and IRS\n              criteria governing continuity plans.\n           B. Obtained and reviewed guidance provided to the BUs on continuity plan preparation.\n           C. Determined whether the IRS, on an annual basis, submits a report to the Department\n              of the Treasury certifying that the IRS has a continuity capability plan with the\n              required continuity requirements in accordance with the National Continuity Policy.\nII.        Determined whether the IRS prepared continuity plans that addressed all critical\n           processes.\n           A. For the 22 BUs within the IRS required to submit continuity plans, determined the\n              number of plans and/or subplans that have not yet been submitted or are not current.\n           B. For those plans that have not been submitted or are not current, determined the cause\n              and whether the plans should address any of the critical processes.\nIII.       Determined whether selected continuity plans were prepared in accordance with Federal\n           guidelines.\n           A. Reviewed the templates developed by the IRS for preparation of continuity plans to\n              determine whether they were complete, adhered to guidance and criteria, and\n              addressed the required critical business processes.\n           B. Selected a judgmental1 sample of four of the IRS\xe2\x80\x99s 22 BUs to determine if the plans\n              contained all required IRS elements. To select the plans, we considered and\n              identified the IRS\xe2\x80\x99s critical processes, the BUs that perform these processes, the\n              buildings in which the highest number of employees who perform these critical\n              processes are located, and the sites that have been focal points for prior terrorist\n              attacks and natural disasters. We judgmentally selected and performed site visits to\n              the W&I Division\xe2\x80\x99s offices at the Kansas City Campus located in Kansas City,\n              Missouri; the SB/SE Division\xe2\x80\x99s offices at the Ogden Campus located in Ogden, Utah;\n\n1\n    A judgmental sample is a nonstatistical sample, the results of which cannot be used to project to the population.\n                                                                                                                Page 17\n\x0c                             Improvements Are Needed to Ensure Timely Resumption\n                               of Critical Business Processes After an Emergency\n\n\n\n                   the LB&I Division\xe2\x80\x99s Midtown field office located in New York City, New York; and\n                   the TE/GE Division\xe2\x80\x99s North Capitol Field Office located in Washington, D.C. We\n                   judgmentally selected the Kansas City Campus because it was estimated to process\n                   the largest number of individual income tax returns in Calendar Year 2011. We\n                   selected the Ogden Campus because it is the only campus responsible for processing\n                   corporate and tax exempt tax returns. In addition, we selected the New York City and\n                   Washington, D.C., field offices because they are located in cities where past terrorist\n                   threats and incidents have occurred. Because we only reviewed four systemwide\n                   plans along with local plans for one local office within each of the four BUs, the\n                   results of our detailed review cannot be projected beyond those four BUs.\nIV.           Determined whether the IRS conducted timely and complete tests to ensure the viability\n              of continuity plans in the event of an incident.\n              A. Determined whether the IRS implemented adequate policies and procedures to ensure\n                 that plans are tested and maintained.\n              B. Reviewed the results of tests on sampled continuity plans to determine whether\n                 weaknesses identified during testing were corrected in a timely manner.\nV.            Evaluated the OCO\xe2\x80\x99s methodology for monitoring the continuity plan process.\n              A. Determined where and how continuity plans are maintained.\n              B. Determined whether continuity plans are annually reviewed independently of the\n                 preparer.\n              C. Determined whether a \xe2\x80\x9cchange control process\xe2\x80\x9d2 was used to update and revise plans.\n      Internal controls methodology\n      Internal controls relate to management\xe2\x80\x99s plans, methods, and procedures used to meet their\n      mission, goals, and objectives. Internal controls include the processes and procedures for\n      planning, organizing, directing, and controlling program operations. They include the systems\n      for measuring, reporting, and monitoring program performance. We determined the following\n      internal controls were relevant to our audit objective: the OCO\xe2\x80\x99s policies, procedures, and\n      practices for continuity planning. We evaluated these controls by interviewing personnel located\n      at the OCO and four field locations and reviewing continuity and business resumption plans,\n      reports documenting continuity exercises, and other related documents.\n\n\n\n\n      2\n       Refers to Continuity Plan Control and Maintenance (Internal Revenue Manual 10.2.10.8.1 (Sept. 25, 2008)),\n      which includes procedures regarding the review and modification of continuity plans along with follow-up on\n      planned controls.\n                                                                                                              Page 18\n\x0c                   Improvements Are Needed to Ensure Timely Resumption\n                     of Critical Business Processes After an Emergency\n\n\n\n                                                                            Appendix II\n\n                Major Contributors to This Report\n\nGregory D. Kutz, Assistant Inspector General for Audit (Management Services and Exempt\nOrganizations)\nJeffrey M. Jones, Director\nJonathan Meyer, Director\nJoseph F. Cooney Audit Manager\nJamelle L. Pruden, Lead Auditor\nLaToya R. Penn, Senior Auditor\nMichele N. Strong, Senior Auditor\n\n\n\n\n                                                                                    Page 19\n\x0c                   Improvements Are Needed to Ensure Timely Resumption\n                     of Critical Business Processes After an Emergency\n\n\n\n                                                                            Appendix III\n\n                         Report Distribution List\n\nActing Commissioner\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nDirector, Office of Continuity Operations, Employee Support Services, Agency-Wide Shared\nServices OS:S:ESS\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaison: Chief, Agency-Wide Shared Services OS:A\n\n\n\n\n                                                                                    Page 20\n\x0c      Improvements Are Needed to Ensure Timely Resumption\n        of Critical Business Processes After an Emergency\n\n\n\n                                                 Appendix IV\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                        Page 21\n\x0cImprovements Are Needed to Ensure Timely Resumption\n  of Critical Business Processes After an Emergency\n\n\n\n\n                                                  Page 22\n\x0cImprovements Are Needed to Ensure Timely Resumption\n  of Critical Business Processes After an Emergency\n\n\n\n\n                                                  Page 23\n\x0cImprovements Are Needed to Ensure Timely Resumption\n  of Critical Business Processes After an Emergency\n\n\n\n\n                                                  Page 24\n\x0cImprovements Are Needed to Ensure Timely Resumption\n  of Critical Business Processes After an Emergency\n\n\n\n\n                                                  Page 25\n\x0cImprovements Are Needed to Ensure Timely Resumption\n  of Critical Business Processes After an Emergency\n\n\n\n\n                                                  Page 26\n\x0cImprovements Are Needed to Ensure Timely Resumption\n  of Critical Business Processes After an Emergency\n\n\n\n\n                                                        \xc2\xa0\n                                                  Page 27\n\x0c'